Ed Bobrin, Director of Corporate and Home Systems Technology, DeLuca Homes
Apr 01 2005

Putting a Lock on Wi-Fi

Wi-Fi networks are inexpensive, easy to set up and an open door to everyone from harmless freeloaders to malicious criminals.

At first you can't figure out what happened. Your network has been hit with a virus, which means every computer in your company is infected. You can't send critical files to your clients for fear of spreading the virus further, so productivity is down, and deadlines are missed. You spend most of your day eradicating the virus and locating the source of the problem. Finally, you find the culprit—your wireless network.

Wireless networking has been a blessing for many small businesses, allowing those with limited information technology (IT) resources to expand their networks cheaply and easily. Wireless fidelity (Wi-Fi), which provides short-range, high-speed data connections among mobile devices, allows workers to access the network from any location in the office, which increases productivity. As a company expands, it can add users without installing expensive equipment—a Wi-Fi-ready notebook will do the trick. When expanding office space, simply add a couple of wireless access points to boost the signal—no more snaking miles of cable through the office.

But Wi-Fi is inherently insecure, leaving networks open to anyone. At best, others can simply ride free on your Internet access. The more devious might pry into your e-mail or personal files. At worst, hackers can use Wi-Fi as a back door to your network, where they can spread viruses, worms or spam.

Companies can take steps to keep their Wi-Fi networks secure: Encrypt the wireless signal, add layers of protection to applications on the network and establish and enforce sound security policies.

Encryption: The Key to Security

Encryption is the first line of defense. There are two choices with wireless encryption: WEP (Wireless Equivalent Privacy) and WPA (Wi-Fi Protected Access). WEP uses a static encryption key, i.e., the key remains constant for all network devices until it is changed manually. So it's considered less secure than WPA's dynamic encryption method, in which the key automatically changes periodically. But WPA isn't foolproof, either. It is vulnerable to denial-of-service attacks, in which hackers bring a network to its knees by flooding it with useless traffic, according to security experts.

Depending on your business needs and applications, one type of encryption may be more appropriate than the other. For example, DeLuca Homes, a Yardley, Pa., home builder with 100 employees, uses Wi-Fi at its construction sites to allow its field workers to access a Web-based project and job-cost management application, says Ed Bobrin, DeLuca's director of corporate and home systems technology. Because anyone passing by the construction site could easily detect the wireless signal, DeLuca uses WPA encryption to make it nearly impossible to break into the system.

In DeLuca's office, however, the company favors greater flexibility than the periodically changing key that WPA allows. The company wants employees to be able to use notebooks in conference rooms and print documents on the fly. DeLuca also wants to accommodate clients and consultants who need Internet access when spending the day at its headquarters. Although WEP is less secure than WPA, it's much easier to give visitors a single key, then change it later if you're concerned that it poses a potential security risk, says Bobrin.

Anthony Mashkovich, Director of IT, Schwarzkopf Inc.

WEP's simple implementation—typing a password generates an encryption key—is also attractive to companies with limited IT resources such as Schwarzkopf Inc., a Culver City, Calif., manufacturer of hair-coloring and styling products. The com­­pany's traveling sales reps don't spend much time in any of Schwarzkopf's three offices. When they are in the office, Wi-Fi lets them check e-mail, access network resources and print documents from any desk.

"One 128-bit key is enough to keep [unauthorized users] out," says Anthony Mashkovich, Schwarzkopf's director of information technology. "With people going between different offices, if you have different sets of keys for different offices, it gets confusing very quickly."

Add a Few Choice Words

Because no wireless encryption technology is foolproof, adding layers of protection—such as passwords to each application on the network—will help discourage intruders. At its construction sites, DeLuca uses password protection for the project-management application in addition to applying WPA encryption.

CEO Takeaway
Think in terms of how your company will use the network. Some uses may require high security, such as protecting sensitive company or client information. Others may require less security and more flexibility, such as accommodating guest users.
Regardless of the type of encryption used, make sure you also protect sensitive applications with passwords.
Institute a companywide security policy, explain it to employees—and enforce it.

"If someone were to steal a laptop, they would still need a separate password authentication to get into our Web application," explains Bobrin.

Technological solutions alone, however, aren't enough to keep your assets secure. Companies should have a well-defined and strictly enforced security policy. Establish sound password policies. Educate employees about the importance of choosing strong passwords (at least eight characters with a combination of numbers, letters and symbols), and implement and enforce periodic password changes. Schwarzkopf requires users to change their passwords every two months and maintains a password history to prevent employees from re-using old ones.

On the whole, security risks "are mitigated by encryption and common sense," notes Bobrin. That's a formula that other businesses would be well advised to follow.

James Wasserman